Analysis
-
max time kernel
119s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
Resource
win10v2004-20241007-en
General
-
Target
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
-
Size
2.6MB
-
MD5
9de6fa8f790d4cc461b260907f377ed0
-
SHA1
87caef779744371cc0f5cb9a2ec912f5b6a9f80d
-
SHA256
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50
-
SHA512
c19917e2a5bf5a9953e48e7f0e4d30c328cde4094425e2090be0f2187e7f935325936e6aeb66b1e0e6c4542865f6a4985b08b06a3967d5e43d5b8f257085d1ed
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
Executes dropped EXE 2 IoCs
pid Process 5024 ecabod.exe 2936 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7Y\\devoptisys.exe" 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQL\\dobasys.exe" 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe 5024 ecabod.exe 5024 ecabod.exe 2936 devoptisys.exe 2936 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1836 wrote to memory of 5024 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 89 PID 1836 wrote to memory of 5024 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 89 PID 1836 wrote to memory of 5024 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 89 PID 1836 wrote to memory of 2936 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 92 PID 1836 wrote to memory of 2936 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 92 PID 1836 wrote to memory of 2936 1836 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\UserDot7Y\devoptisys.exeC:\UserDot7Y\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f57b426268fa0ba166d8bac35a663008
SHA1813ae1e3ea4918704af55f395b3bfde63d6f1966
SHA2567e6821e920875b2c3a32caa03de7658e00726dc1860bbe21943489fb95834fe1
SHA512d335b7b09c8f38afc17160d00a3272b59354b914908a0f6aba7a4b86a8c8b9082d7f8f3caad4e35bb2886c7c621db0cc124bb7fe2a07fd15f378c09cec9f2ef7
-
Filesize
2.6MB
MD5b608991e294a6491557bff168c697a31
SHA148c751535e6745b4ef30fb9ec758245769a3c6b3
SHA256ddb40df2c664917d94d71cbd08abd6f6b40ce9000b579d4971dc089acb8c9680
SHA5122ff1dea59c82ed4e4e92280269946e379451a49b2dce51147774471012312e543101a96134b1b77da7a87a8a245f6896a88f75bee4a78a237a109cd8f53a5a1a
-
Filesize
2.6MB
MD5c197b96d4aaf6a94d8c9d5e8eaa46647
SHA16a5d202d5c12f92ed08c4e3173e8076b30599e68
SHA256c1f0ac365490dcd4bb79e6fbbb426a12096d0d117fdcacf38da111f17366b8be
SHA512982ea75660b8c55cf14fe2ee62c499eb526f3026aafc6a74a6d32c0f3a52de610668874c9718769e8d027b547fe20cd043415c6f30956342e6261f31117096b6
-
Filesize
204B
MD52f978ab78172161cfcfd62406c2e00b9
SHA140be35cb79953631020336baf50a0b2d54c198ad
SHA256acc0e2f1a3d20cfefaeddff8f64644466905ca618b310e67c2ded09ca1b0988e
SHA512ede343473b6a11e8cafd669b0fc1fa658ea0c028bed54435d26248c7cc9b5833a955a563bb042c72f0e5d77fd5ad6d0c2ee1a07526f26fc1d1fa6c96695aae5b
-
Filesize
172B
MD5367928d6d11135c9f817103762279199
SHA1b7a53b71f840624a15d8ecc5d76c4879229fab02
SHA25640bc32f3aacd60013cb4196ef781dfbde62f45ba9c6120bfa11b6b1bbb728a1f
SHA5127e572f627bbcfc0fff110e4bfcc34791f0b099408c3a7733f1aa33bc2d19a3992431249b15b1303b12ddca578afa8821a2ea504ddf1c6b36c1f5544f264e86e5
-
Filesize
2.6MB
MD536029b303afea72101cf411e51e3397b
SHA1f2fee78488eeb32b1923e56548c395dfda0e424d
SHA2565ca064ac40f7b36bc76b8253b93e9114675b6dc8210e358ab05ac6b14d44c194
SHA5124e19c067842eafd72ff585c59dc44e8457f0543a6721878d73e72958aaafae13428b1211d48916fa2c02e0731b1d2ac752f2af78e761b2254e20dd49c930d5fe